Page 1 of 7

Cloudflare IP support

Posted: Wed Oct 29, 2014 1:52 pm
by fulgan
Hello,

My forum is hosted behind the cloudflare service which will act as a proxy server.

However, everything is listed as coming from the proxy server IP, not to original user. Cloudflare adds a special HTTP header to all requests (HTTP_CF_CONNECTING_IP) that contains the original IP address.

Their support suggests that, in order to use that header for monitoring users, I edit the includes/session.php file (there is a single line changed).

I was wondering if, instead, it wouldn't be possible to write a very simple extension for 3.1 that would perform the same change. I guess that it should be possible to make it compatible with more WAFs, reverse proxies and SSL accelerator by allowing the user to configure the HTTP header used for identifying the connecting user IP address.

Thanks

Re: Cloudflare IP support

Posted: Mon Dec 01, 2014 11:13 pm
by faisca1
I have the same problem someone help

Tanks

Re: Cloudflare IP support

Posted: Mon Feb 02, 2015 10:24 pm
by BigDrago
+1, need this.

Where is that sessions file in php 3.1.3?

Re: Cloudflare IP support

Posted: Mon Feb 02, 2015 10:30 pm
by Lumpy Burgertushie
there is no sessions.php file in 3.1
wherever you got those instructions they are out of date.
another problem associated with the use of cloudfare.


robert

Re: Cloudflare IP support

Posted: Tue Feb 03, 2015 12:15 pm
by RMcGirr83
The session.php file is now located within the phpbb directory and it is this line within it that probably needs to be changed.

$this->ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));

but I agree with Robert, cloudflare has caused problems on many forums. Namely with caching (admin makes a change expecting to see an immediate effect and it doesn't change for a while due to cloudflare).

Re: Cloudflare IP support

Posted: Tue Feb 03, 2015 12:56 pm
by fulgan
RMcGirr83 wrote:but I agree with Robert, cloudflare has caused problems on many forums. Namely with caching (admin makes a change expecting to see an immediate effect and it doesn't change for a while due to cloudflare).
Honestly, that's what happen when you don't know what you're doing. Cloudflare makes it easy to put a WAF, IP reputation filter and CDN in front of your web site but it isn't fairy dust either: you still have to understand a bit how to set it up.

Maybe I should write a short guide about how to do it properly. But for that, I'd need the last piece: a fix to PHPBB where is properly supports X_FORWARDED_FOR (and possibly, have white list of allowed clients that can directly connects to it)

Re: Cloudflare IP support

Posted: Tue Feb 03, 2015 4:21 pm
by RMcGirr83
Let's be clear, it isn't me setting it up. It is admins for the forum setting it up and then asking for modification support as to why the coloring, or whatever, isn't changing.

Re: Cloudflare IP support

Posted: Tue Feb 03, 2015 4:26 pm
by fulgan
RMcGirr83 wrote:Let's be clear, it isn't me setting it up. It is admins for the forum setting it up and then asking for modification support as to why the coloring, or whatever, isn't changing.
I wasn't suggesting you were the one failing tho understand how to set it up, really. I was merely commenting on the fact that, if you do, you need to understand what you're doing.

Re: Cloudflare IP support

Posted: Tue Feb 03, 2015 9:34 pm
by romsko
Hi mate,

try to replace

Code: Select all

$this->ip = htmlspecialchars_decode($request->server('REMOTE_ADDR'));
with

Code: Select all

$this->ip = ((!empty($request->server('HTTP_CF_CONNECTING_IP')))
          ? htmlspecialchars_decode($request->server('HTTP_CF_CONNECTING_IP')) : '')
          : ((!empty($request->server('REMOTE_ADDR'))) ? htmlspecialchars_decode($request->server('REMOTE_ADDR')) : '');
I don't have test that code, but should work;

Re: Cloudflare IP support

Posted: Tue Feb 03, 2015 11:52 pm
by RMcGirr83
Can more simply be

Code: Select all

$this->ip = !empty($request->server('HTTP_CF_CONNECTING_IP'))
          ? htmlspecialchars_decode($request->server('HTTP_CF_CONNECTING_IP')) : htmlspecialchars_decode($request->server('REMOTE_ADDR'));

Re: Cloudflare IP support

Posted: Wed Feb 04, 2015 4:24 am
by Lumpy Burgertushie
the problem is that for many users they simply read that they will get some benefit for using cloudfare and just go turn it on in their hosting control panel. many hosts may be turning it on by default without knowing what they are doingf or how to set it up properly .( like they do with mod_security sometimes ).

I don't know much about it but it seems to me to be another way to get a lot of the same features that have always been available in a hosting enviornment. I know, I am an old codger that doesn't like change sometimes.
I have always said, "if it aint broke, don't fix it".


robert

Re: Cloudflare IP support

Posted: Wed Feb 04, 2015 8:42 am
by fulgan
the problem is that for many users they simply read that they will get some benefit for using cloudfare and just go turn it on in their hosting control panel.
You can't prevent people from doing stupid things. Best is to see it as a educational.
many hosts may be turning it on by default without knowing what they are doing or how to set it up properly .( like they do with mod_security sometimes ).
I doubt this, really. If it's professional hosting, they do know what they are doing. If it's amateur hosting, well, then, again, that's the way people learn.

The current situation, however, it really uncomfortable: it is simply impossible to put any type of reverse proxy (cloudflare or anything else) in front of a default PHPBB without breaking it in various way. This is specially annoying since: a) proper handling of reverse proxy is pretty easy (and even supported by Smphony already) b) not providing that support makes it very hard to do defense in depth (something that saved my DB a couple of times since I started using PHPBB with version 1.x)

Anyway, thank you for the code snippet. It doesn't work but thanks for the effort :)

Re: Cloudflare IP support

Posted: Wed Feb 04, 2015 6:31 pm
by Lumpy Burgertushie
I doubt this, really. If it's professional hosting, they do know what they are doing.
you must not have dealt with many hosting companies.

godaddy, ipage, just to name a couple and I have no idea how many times I have seen here where so called "professional" hosting companies have setup their mod_security with the defaults with no idea the problems they are causing their customers.

most of the time the "professionals" simply install server software out of the box and either don't know how to set things up or don't care.

just ranting.


robert

Re: Cloudflare IP support

Posted: Wed Feb 04, 2015 6:40 pm
by BigDrago
Well...site is never offline, free ssl, railgun etc... Add site directly to cloudflare.com, no reason to enable it through cpanel.

Cloudflare support haven't answered me yet.

Re: Cloudflare IP support

Posted: Wed Feb 04, 2015 9:54 pm
by BigDrago
Regarding 3.0.13
I found this line:

Code: Select all

$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? (string) $_SERVER['REMOTE_ADDR'] : '';
But the support page:
https://support.cloudflare.com/hc/en-us ... ith-PHPBB-

Says I should find this line (which isnĀ“t there)

Code: Select all

$this->ip = (!empty($_SERVER['REMOTE_ADDR'])) ? htmlspecialchars((string) $_SERVER['REMOTE_ADDR']) : '';

Anyway, I changed the first code to this:

Code: Select all

$this->ip = (!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) ? htmlspecialchars((string) $_SERVER['HTTP_CF_CONNECTING_IP']) : '';
Still waiting for Cloudflare to fix the issue with 3.1.x